none

[openafs-wiki.git] / AFSLore / EnablingAFSLoginonLinuxSystems.mdwn

At this point you incorporate AFS into the operating system's Pluggable Authentication Module (PAM) scheme. PAM integrates all authentication mechanisms on the machine, including login, to provide the security infrastructure for authenticated access to and from the machine.

Explaining PAM is beyond the scope of this document. It is assumed that you understand the syntax and meanings of settings in the PAM configuration file (for example, how the other entry works, the effect of marking an entry as required, optional, or sufficient, and so on).

The following instructions explain how to alter the entries in the PAM configuration file for each service for which you wish to use AFS authentication. Other configurations possibly also work, but the instructions specify the recommended and tested configuration.

The recommended AFS-related entries in the PAM configuration file make use of one or more of the following three attributes.

    try_first_pass

This is a standard PAM attribute that can be included on entries after the first one for a service; it directs the module to use the password that was provided to the first module. For the AFS module, it means that AFS authentication succeeds if the password provided to the module listed first is the user's correct AFS password. For further discussion of this attribute and its alternatives, see the operating system's PAM documentation.

    ignore_root

This attribute, specific to the AFS PAM module, directs it to ignore not only the local superuser root, but also any user with UID 0 (zero).

    ignore_uid uid

This option is an extension of the "ignore\_root" switch. The additional parameter is a limit. Users with a uid up to the given parameter are ignored by pam\_afs.so. Thus, a system administrator still has the opportunity to add local user accounts to his system by choosing between "low" and "high" user ids. An example /etc/passwd file for "ignore\_uid 100" may have entries like these:

            .
            .
    afsuserone:x:99:100::/afs/afscell/u/afsuserone:/bin/bash
    afsusertwo:x:100:100::/afs/afscell/u/afsusertwo:/bin/bash
    localuserone:x:101:100::/home/localuserone:/bin/bash
    localusertwo:x:102:100::/home/localusertwo:/bin/bash
            .
            .

AFS accounts should be locked in the file /etc/shadow like this:

            .
            .
    afsuserone:!!:11500:0:99999:7:::
    afsusertwo:!!:11500:0:99999:7:::
    localuserone:<thelocaluserone'skey>:11500:0:99999:7:::
    localusertwo:<thelocalusertwo'skey>:11500:0:99999:7:::
            .
            .

There is no need to store a local key in this file since the AFS password is sent and verfied at the AFS cell server!

    setenv_password_expires

This attribute, specific to the AFS PAM module, sets the environment variable PASSWORD\_EXPIRES to the expiration date of the user's AFS password, which is recorded in the Authentication Database.

    set_token

Some applications don't call pam\_setcred() in order to retrieve the appropriate credentials (here the AFS token) for their session. This switch sets the credentials already in pam\_sm\_authenticate() obsoleting a call to pam\_setcred(). Caution: Don't use this switch for applications which do call pam\_setcred()! One example for an application not calling pam\_setcred() are older versions of the samba server. Nevertheless, using applications with working pam session management is recommended as this setup conforms better with the PAM definitions.

    refresh_token

This options is identical to "set\_token" except that no new PAG is generated. This is necessary to handle processes like xlock or xscreensaver. It is not enough to give the screen and the keyboard free for the user who reactivated his screen typing in the correct AFS password, but one may also need fresh tokens with full livetime in order to work on, and the new token must be refreshed in the already existing PAG for the processes that have been started. This is achieved using this option.

    use_klog

Activating this switch the authentication is done by calling the external program "klog". One program requiring this is for example kdm of KDE 2.x.

    dont_fork

Usually, the password verification and the establishment of the token is performed in a sub process. Using this option pam\_afs does not fork and performs all actions in a single process. Only use this options in case you notice serious problems caused by the sub process. This option has been developed in respect to the "mod\_auth\_pam"-project (see also mod\_auth\_pam). The mod\_auth\_pam module enables PAM authentication for the apache http server package.

Session Management

    no_unlog

Normally the tokens are deleted (in memory) after the session ends. Using this options the tokens are left untouched. This behaviour has been the default in pam\_afs until openafs-1.1.1!

    remainlifetime sec

The tokens are kept active for sec seconds before they are deleted. X display managers i.e. are used to inform the applications started in the X session before the logout and then end themselves. If the token was deleted immediately the applications would have no chance to write back their settings to i.e. the user's AFS home space. This option may help to avoid the problem.

Perform the following steps to enable AFS login.

1. Mount the AFS CD-ROM for Linux on the /cdrom directory, if it is not already. Then change to the directory for PAM modules, which depends on which Linux distribution you are using.

If you are using a Linux distribution from Red Hat Software:

       # cd /lib/security

If you are using another Linux distribution:

       # cd /usr/lib/security

1. Copy the appropriate AFS authentication library file to the directory to which you changed in the previous step. Create a symbolic link whose name does not mention the version. Omitting the version eliminates the need to edit the PAM configuration file if you later update the library file.

If you use the AFS Authentication Server (kaserver process):

       # cp /cdrom/i386_linux22/lib/pam_afs.so.1  .

       # ln -s pam_afs.so.1 pam_afs.so

If you use a Kerberos implementation of AFS authentication:

       # cp /cdrom/i386_linux22/lib/pam_afs.krb.so.1   .

       # ln -s pam_afs.krb.so.1 pam_afs.so

1. For each service with which you want to use AFS authentication, insert an entry for the AFS PAM module into the auth section of the service's PAM configuration file. (Linux uses a separate configuration file for each service, unlike some other operating systems which list all services in a single file.) Mark the entry as sufficient in the second field.

Place the AFS entry below any entries that impose conditions under which you want the service to fail for a user who does not meet the entry's requirements. Mark these entries required. Place the AFS entry above any entries that need to execute only if AFS authentication fails.

Insert the following AFS entry if using the Red Hat distribution:

       auth  sufficient  /lib/security/pam_afs.so   try_first_pass  ignore_root

Insert the following AFS entry if using another distribution:

       auth  sufficient  /usr/lib/security/pam_afs.so  try_first_pass  ignore_root

Check the PAM config files also for "session" entries. If there are lines beginning with "session" then please insert this line too:

       session  optional  /lib/security/pam_afs.so

or

       session  optional  /usr/lib/security/pam_afs.so

This guaranties that the user's tokens are deleted from memory after his session ends so that no other user coincidently gets those tokens without authorization! The following examples illustrate the recommended configuration of the configuration file for several services:

Authentication Management (/etc/pam.d/login)

       #%PAM-1.0
       auth      required   /lib/security/pam_securetty.so
       auth      required   /lib/security/pam_nologin.so
       auth      sufficient /lib/security/pam_afs.so try_first_pass ignore_root
       #                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       #This enables AFS authentication for every user but root
       auth      required   /lib/security/pam_pwdb.so shadow nullok
       account   required   /lib/security/pam_pwdb.so
       password  required   /lib/security/pam_cracklib.so
       password  required   /lib/security/pam_pwdb.so shadow nullok use_authtok
       session   optional   /lib/security/pam_afs.so
       #Make sure tokens are deleted after the user logs out
       session   required   /lib/security/pam_pwdb.so

(/etc/pam.d/samba)

       auth       required     /lib/security/pam_afs.so ignore_uid 100 set_token
       #                                                ^^^^^^^^^^^^^^^^^^^^^^^^
       #Here, users with uid>100 are considered to belong to the AFS and users
       #with uid<=100 are ignored by pam_afs. The token is retrieved already in
       #pam_sm_authenticate() (this is an example pam config for a samba version
       #that does not call pam_setcred(), it also does no sense to include session
       #entries here since they would be ignored by this version of samba ).
       account    required     /lib/security/pam_pwdb.so

(/etc/pam.d/xscreensaver)

       auth       sufficient   /lib/security/pam_afs.so ignore_uid 100 refresh_token
       #                                                               ^^^^^^^^^^^^^
       #Avoid generating a new PAG for the new tokens, use the already existing PAG and
       #establish a fresh token in it.
       auth       required     /lib/security/pam_pwdb.so try_first_pass

(/etc/pam.d/httpd)

       auth       required   /lib/security/pam_afs.so ignore_uid 100 dont_fork
       #                                                             ^^^^^^^^^
       #Don't fork for the verification of the password.

Session Management (/etc/pam.d/su)

       auth       sufficient   /lib/security/pam_afs.so ignore_uid 100
       auth       required     /lib/security/pam_pwdb.so try_first_pass
       account    required     /lib/security/pam_pwdb.so
       password   required     /lib/security/pam_cracklib.so
       password   required     /lib/security/pam_pwdb.so use_authtok
       session    required     /lib/security/pam_pwdb.so
       session    optional     /lib/security/pam_afs.so no_unlog
       #                                                ^^^^^^^^
       #Don't delete the token in this case, since the user may still
       #need it (for example if somebody logs in and changes to root
       #afterwards he may still want to access his home space in AFS).
       session    required     /lib/security/pam_login_access.so
       session    optional     /lib/security/pam_xauth.so

(/etc/pam.d/xdm)

       auth       required     /lib/security/pam_nologin.so
       auth       required     /lib/security/pam_login_access.so
       auth       sufficient   /lib/security/pam_afs.so ignore_uid 100 use_klog
       auth       required     /lib/security/pam_pwdb.so try_first_pass
       account    required     /lib/security/pam_pwdb.so
       password   required     /lib/security/pam_cracklib.so
       password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
       session    optional     /lib/security/pam_afs.so remainlifetime 10
       #                                                ^^^^^^^^^^^^^^^^^
       #Wait 10 seconds before deleting the AFS tokens in order to give
       #the programs of the X session some time to save their settings
       #to AFS.
       session    required     /lib/security/pam_pwdb.so